It should come as no surprise that the next major battle in IT security is focused on endpoints. Mobility and BYOD have made it possible for users to remotely access just about any business resource. The adoption of cloud-delivered services enables workloads to move to a shared environment bypassing on-premises, layered security defenses and directly accessible by the mobile workforce.
In this segmented and diverse environment, organizations are implementing a variety of security solutions focused on preventing the latest threats. What often gets neglected is eliminating the weaknesses that lead to attack in the first place, and continuously monitoring for signs of compromise throughout your environment. What can you do to effectively fight the endpoint battle?
Tip #1: Illuminate Hidden Endpoints
A mobile workforce with a plethora of mobile devices challenges traditional security architectures. Consider that limited connectivity can cause devices to not always be visible, that many devices may not have the resources to run full versions of security software, and since ownership of the device lies with the user, it often falls outside the control of IT.
What can you do?
- Start by getting a firm understanding of what’s connecting to your network. Use multiple techniques to form a composite view of connected endpoints and applications.
- Supplementing endpoint agents with active scanning, passive monitoring, and even analyzing events from your network infrastructure such as DNS or DHCP servers and logs from network components can help identify both managed and unmanaged endpoints. This information is pivotal in then helping build scan policies to identify vulnerabilities, non-compliant systems, or unprotected endpoints that are at risk or that are unprotected.
Tip #2: Identify Weaknesses
Traditional signature-based endpoint protection is no longer sufficient in preventing targeted malware. Innovative technologies such as sandboxing and application wrapping may help in some areas by identifying unknown threats. While all of this is focused on analyzing traffic to look for indications of possible threats, as the Verizon DBIR clearly notes time and time again, a prominent way attackers infiltrate organizations is through known vulnerabilities and security weaknesses.
What can you do?
- Before investing in exotic technologies, become exceptionally good at the basics.
- First, button up your endpoints and ensure they are hardened and regularly updated. Hardening your endpoints can reduce your exposure by removing weaknesses such as open ports that allow attackers to access critical servers or unencrypted communications from payment-processing terminals.
- Next, monitor critical changes on systems and track systems that drift out of compliance. Look to vulnerability management products to identify misconfigurations or extraneous applications as well as to continuous monitoring solutions that can track endpoints as they move out of compliance.
Tip #3: Routinely Check For Compromise
Compromised endpoints that connect to your network can propagate malware or become a springboard for advanced attacks. They can infiltrate critical resources by scanning for possible attack paths or weaknesses inside your network to transmit infection, gain root access through privilege escalation, or open pathways to access sensitive data.
What can you do?
- Identify endpoints and applications that are not authorized or updated or those that are vulnerable. Once vulnerable systems are identified, prioritize remediation of critical vulnerabilities that are exploitable by commercial frameworks such as Metasploit.
- Other recommendations include looking for signs of infection by identifying malicious processes on endpoints that are associated with malware; using threat intelligence services or looking for outbound communications to malicious sites; and monitoring sensitive data leaving your environment.
- Finally, look for anomalies and behavior indicative of malware For example, is the endpoint probing other endpoints or networks? Is it behaving like a bot or opening ports to botnet sites? Is it reaching out to critical servers or initiating never-before-seen activities or processes?
Tip #4: Measure Endpoint Security Effectiveness
Security, network infrastructure, and compliance solutions are often deployed and managed by separate parts of the organization. Often, the objectives of each team are independent, yet sharing goals and information from security activities and assessments can surely help all parties reach their unique goals and help the organization elevate its security profile.
What can you do?
- Start by building consistent security policies and then measuring your endpoint effectiveness against them.
- Then, identify the gaps where endpoint security policies are failing to meet business objectives. For example, build dashboards and reports that continuously measure how quickly you identify critically vulnerable and compromised endpoints and how quickly you remediate them.
- Implementing an endpoint security program based on defined frameworks such as critical cyber controls can help create a comprehensive, closed-loop process that can bring consistency to how endpoint security is implemented and measured in your organization.
Endpoint security assurance is not just about detecting threats, but about building a more effective endpoint security program -- one that proactively detects known and unknown endpoints, helps identify what is critically vulnerable to attacks, what weaknesses exist in your environment, and how effective you are at identifying threats and remediating them. If you are clearly able to answer the question “How secure are we?” and demonstrate this throughout the organization, you are already on your way to a successful endpoint security program.